Ouch! UK Govt’s Cyber Essentials scheme suffers data breach due to configuration error

Emails exposed, which means phishing attacks could follow…

David bisson
David Bisson

Ouch! UK Govt's Cyber Essentials scheme suffers data breach due to configuration error

The UK Government’s Cyber Essentials digital security scheme has suffered a data breach caused by a configuration error in a software platform.

On 21 June, companies received word of the incident from Dr. Emma Philpott, chief executive at the Information Assurance for Small and Medium Enterprises (IASME) Consortium. One of the scheme’s Accreditation Bodies, IASME has incorporated Cyber Essentials into its information assurance standard. Suppliers wanting to secure contracts for work involving government data must therefore work with a Certification Body licensed by IASME or another Accreditation Body to achieve Cyber Essentials accreditation.

In her email to companies, Philpott explains the breach traces back to a configuration error involving its deployment of a platform developed by Pervade Software and used for Cyber Essentials assessments. As quoted by The Register:

Sign up to our free newsletter.
Security news, advice, and tips.

“An unknown person accessed a list of email addresses in a log file generated by the Pervade assessment platform and your email address, company name and the IP address of the Certification Body was on that list. No other information was accessed. The other information on the assessment portal itself was not affected in any way and no-one has accessed the system, your account, the answers you provided or the report you received. This log file became accessible through a configuration error on the part of one of the Pervade systems engineers. Pervade have taken immediate steps to address the error and have resolved the issue.”

It’s a good thing the breach didn’t affect other suppliers’ financial information. (Other breaches involving UK companies haven’t been as lucky.)

UK GovernmentBut Cyber Essentials stands for better digital security practices. A breach involving this scheme is ironic, to say the least… if not downright infuriating. One affected employee vocalized this latter sentiment to The Register:

“We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations. Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt.”

With that information, attackers can conduct phishing campaigns and other attacks against affected companies, possibly with the lure of non-existent government contracts.

Currently, Pervade and IASME are working to fix the error. Let’s hope they follow up these efforts with an explanation of what happened and what they’re doing to prevent it from happening again.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

6 comments on “Ouch! UK Govt’s Cyber Essentials scheme suffers data breach due to configuration error”

  1. Malcolm

    It's only the email addresses that are important here, as the list of accredited companies is published by IASME anyway at https://www.iasme.co.uk/certified-organisations/

    The same is true of other Accreditation Bodies:
    CREST publishes their list at http://www.cyberessentials.org/list/, and
    QG at http://www.qgstandards.co.uk/cyber-essentials-accredited-companies/
    Interestingly APMG does not appear to publish a list.

    1. Ben · in reply to Malcolm


      APMG's list can be found here → https://ces.apmg-certified.com/Organisations.aspx

  2. Etaoin Shrdlu

    Always pay close attention to government instructions, then do the opposite.

  3. Roger Leyland

    This is the government that thinks back doors to encrypted services can be kept safe…

  4. AJC

    El Reg was first alerted to problems with the IASME website by a security researcher last week. "Their web application logs and database AES key are published within the root of their backend application exposing the email addresses, names and IP addresses of users," he told us at the time.

  5. AJC

    Presumably Pervade Software has been added to the unaccredited list?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.